Pin GitHub Actions to immutable SHA hashes #48
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Latest actual vulnerability using supply chain attacks this very commit would help protect against https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066 |
JasonLunn
reviewed
Mar 18, 2025
ccache/action.yml
Outdated
| @@ -79,7 +79,7 @@ runs: | |||
| ccache --version || echo "No local ccache installation found" | |||
|
|
|||
| - name: Setup fixed path ccache caching | |||
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |||
| uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4 | |||
There was a problem hiding this comment.
Why use 3.2.4 here rather than 4.2.1 as it is below and in the PR description?
There was a problem hiding this comment.
It seems I have a bug in my tool that automates this. Very sorry let me resolve that.
There was a problem hiding this comment.
So this is fixed but reviewing it more I think it’s missing a few files.
wroersma
force-pushed
the
security/pin-github-actions-sha
branch
from
4f42479 to
b67b56d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates GitHub Actions to their latest versions and pins them to specific SHA hashes rather than version tags to mitigate supply chain attack risks.
Security Rationale
Using version tags like
@v3creates a security vulnerability as the content behind those tags can be modified at any time by action maintainers or by attackers who compromise their accounts. Recent supply chain attacks like the xz vulnerability (CVE-2024-3094) demonstrate how dependencies can be compromised through trusted distribution mechanisms.By pinning to immutable SHA hashes, we ensure that the exact code run by our workflows is never silently changed.
Changes
This PR updates the following GitHub Actions:
Notable Security Improvements
actions/github-script@v3which is used in Docker image validation - a critical security controlTesting
All workflows have been manually validated to ensure they continue to function with the updated action versions.